Archive for the ‘Security’ Category

Posted in February 13, 2018 ¬ 11:58h.Robin EdgarComments Off on Consumers prefer security over convenience for the first time ever, IBM Security report finds

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any […]

Posted in February 13, 2018 ¬ 11:57h.Robin EdgarComments Off on Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service

There’s a new menu item in the Facebook app, first reported by TechCrunch on Monday, labeled “Protect.” Clicking it will send you to the App Store and prompt you to download a Virtual Private Network (VPN) service called Onavo. (“Protect” shows up in the iOS app. Gizmodo looked for it on an Android device and […]

Posted in February 13, 2018 ¬ 11:56h.Robin EdgarComments Off on Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening. […] The failure of the UConnect system isn’t just limited to not having a radio; […]

Posted in February 12, 2018 ¬ 10:20h.Robin EdgarComments Off on IBM Notes Privilege escalation in IBM Notes Smart Update Service

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix. Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

Posted in February 10, 2018 ¬ 13:09h.Robin EdgarComments Off on US state’s pot dealer database pwned after security goes up in smoke

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana. The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability […]

Posted in February 10, 2018 ¬ 13:07h.Robin EdgarComments Off on You can resurrect any deleted GitHub account name. If you depend on that account you may find yourself in trouble

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects. The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained […]

Posted in February 9, 2018 ¬ 12:21h.Robin EdgarComments Off on Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 – get patching!

Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo. That’s pretty bad news for any vulnerable gateways with remote […]

Posted in February 9, 2018 ¬ 12:05h.Robin EdgarComments Off on PinMe: Tracking a Smartphone User around the World with GPS and WiFi off

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off. Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

Posted in February 1, 2018 ¬ 23:43h.Robin EdgarComments Off on Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so […]

Posted in January 31, 2018 ¬ 11:55h.Robin EdgarComments Off on Lenovo Fingerprint Manager Pro for Windows has a hardcoded password

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in. Source: Lenovo Fingerprint Manager Pro […]

Posted in January 31, 2018 ¬ 11:52h.Robin EdgarComments Off on Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

Strava which markets itself as a “social-networking app for athletes” publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit. Since Strava has been designed to track users’ routes and locations, IUCA analyst […]

Posted in January 31, 2018 ¬ 11:12h.Robin EdgarComments Off on Dutch agencies provide crucial intel about Russia’s interference in US-elections, US burns the Dutch source

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not […]

Posted in January 28, 2018 ¬ 22:46h.Robin EdgarComments Off on Researchers find a way to link TOR / Silk Road BTC expenditure to people using two datasets

To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the […]

Posted in January 24, 2018 ¬ 11:33h.Robin EdgarComments Off on Easy to watch over your shoulder at your Tindering

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes. The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to […]

Posted in January 24, 2018 ¬ 11:31h.Robin EdgarComments Off on It’s 2018 and your Macs, iPhones can be pwned by playing evil music: lots of patches

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible. […] Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) […]

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters. Slack users should update to version 3.0.3 or better, and the latest version of Skype for […]

Posted in January 23, 2018 ¬ 17:40h.Robin EdgarComments Off on Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated […]

Posted in January 19, 2018 ¬ 17:45h.Robin EdgarComments Off on Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last […]

Posted in January 17, 2018 ¬ 11:22h.Robin EdgarComments Off on Lenovo inherited a switch authentication bypass

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel. The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at […]

Over the weekend, members of the OnePlus community reported cases of unknown credit card transactions occurring on their credit cards post purchase from oneplus.net. We immediately began to investigate as a matter of urgency, and will keep you updated. […] As a precaution, we are temporarily disabling credit card payments at oneplus.net. PayPal is still […]

Posted in January 15, 2018 ¬ 11:42h.Robin EdgarComments Off on All Intel laptops open to unlocking with ctrl-P and “admin”. Another fatal flaw in Intel Management Engine.

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists […]

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers. TLS-SNI is one of three ways Let’s Encrypt’s […]

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability […]

Posted in January 15, 2018 ¬ 11:33h.Robin EdgarComments Off on Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC?

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday. The archive was therefore unavailable for much of the weekend, although Linux developers could still use […]